none
Password Sync to target domain fails after a couple of hours RRS feed

  • Question

  • Hi All,

    We're running in to issues attempting to sync passwords between two domains that appears to be related to a kerberos timeout following an FIM 2010 to MIM 2016 upgrade.

    We manage the domain in which MIM 2016 is configured (CORP) and have an MA configured for the domain (EXT) we're pushing passwords to and everything works perfectly well for a couple of hours then it begins to fail. Originally the issue was reported as being intermittent but after some investigation I've found the following:

    After providing credentials for the service account selecting "Connect to Active Directory Forest" or selecting "Containers" from within the "Configure Directory Partitions" password sync begins to work immediately.
    Testing password resets through the day works without issue.
    Testing the following morning fails to reset the password on the target domain.
    Providing credentials again resolves the issue immediately.

    Each time I provide the credentials in the MIM console the following 2 events are logged on the server (CORP):

    Security-Kerberos
    Error code: 0x20 KRB_AP_ERR_TKT_EXPIRED
    Extended Errpr: "0xc0000133 KLIN(0)"
    Server Realm: EXT.FQDN

    Security-Kerberos
    A kerberos error message was received" on logon session CORP.FQDN\SVC_FIMSync
    Error Code: 0x19 KDC_ERR_PREAUTH_REQUIRED
    Server Realm: EXT.FQDN

    I'm aware the first error indicates a potential issue with time sync between the two domains but we've had a look at this and results show a difference of +/- 00.000xxxx so don't believe this is the cause.

    Has anyone ever come across a similar issue? 

    Any help is appreciated.
    Wednesday, June 12, 2019 1:12 AM

All replies

  • Darren-

    Is it possible there's a firewall that's filtering traffic? I would get a network trace from the MIM server when this happens and see what's happening.


    Thanks,
    Brian

    Consulting | Blog | AD Book

    Sunday, June 16, 2019 2:40 PM
    Moderator
  • Hey Brian

    We've ruled out any firewall issues, all required ports are open and confirmed working.

    We've reviewed the firewall logs and ran wireshark when the password sync is working and when it's not and the firewall doesn't interfere but it did confirm when the password sync begins failing it doesn't appear to send the password reset request after the logon attempt.

    Monday, June 17, 2019 1:40 AM
  • Darren Mac,

    I have seen that as firewalls get smarter they also get dumber. They are inspecting the traffic more carefully and if it doesn't match the application profile it has been told about it will close the connection after things are going -- so the ports look open, some traffic happens and then wham it stops. We would saw this with remote powershell and the TCP Connection would receive a reset, and it looked like the reset came from the remote server but it came from the firewall.

    The other thing this sounds like is there is something that happens, a port opens, a ticket is issued, when you enter the credentials or look at the OUs, but then the ticket expires, or the port closes.

    Short term you could script the periodic running of Set-MIISADMAConfiguration so that it keeps refreshing whatever it is.


    David Lundell, Twitter | Hire Identity Managed | FIM Best Practices book | How to Be an MVP in Life book

    Wednesday, June 26, 2019 3:30 AM
  • Hey David,

    We suggested scripting the re-auth of the MA as a temporary measure but the client wants a permanent resolution so we've got a support case open with MS at the minute. If it turns out to me a FIM/MIM issue i'll update this post with the resolution.

    We've been assured by our colleagues managing the target domain that their firewalls have been opened up and they are not interfering with the traffic but I'll raise the question again and see if we get a different outcome.

    Thanks,

    Darren

    Wednesday, June 26, 2019 4:41 AM
  • Hello Darren,

    We are seeing the same issue with MIM2016 SP1 version. Can you please tell me how you have scripted to re-auth the MA. When ai m trying to use this Set-MIISADMAConfiguration getting username not found in the forest error. I really appreciate your response.

    Thanks,

    Sunny

    Saturday, August 8, 2020 3:13 AM